Musings about Entrepreneurship, Technology and Software Development

Accidental Technologist

Ruby Denial of Service (DoS) Vulnerability Options

A potentially harmful vulnerability was found in all pre-Ruby 1.9.1 version of Ruby.  The issue was reported on the Ruby-lang web site and says it effects:

1.8 series

  • 1.8.6-p368 and all prior versions
  • 1.8.7-p160 and all prior versions

Ruby 1.9.1 does not suffer from this problem but seems apparent JRuby does have this issue and has been tested to prove it.

The Problem

The issue is pretty simple to reproduce.  BigDecimal, when asked to parse an overly large number, causes segmentation faults.  The following will reveal the problem:

BigDecimal("9E69999999").to_s("F")

Solutions

There are quite a few solutions to this problem and most involve patching an existing installation of Ruby.  The Ruby web site offers links to download Ruby source for both 1.8.6 and 1.8.7:

Please upgrade to 1.8.6-p369 or ruby-1.8.7-p173.

There are various things to consider when doing an update like this and building from source.  I am an Ubuntu user and installed Ruby with the aptitude package manager so I could easily update to a later version of Ruby when it was released.  The problem here is the package sources won’t be updated right away and I will be stuck with the vulnerability until new packages are created and put out.  I probably won’t be effected by this issue as I have not yet but I would rather be safe, especially for my customers.

Having used a package manager, Ruby is installed in:

/usr/bin

The options at this point is to download and build Ruby from source.  Building Ruby from the Ruby website will by default but Ruby in:

/usr/local/bin

I won’t get into installing Ruby from source here, there are many good tutorials including one from FiveRuns, Compiling Ruby, RubyGems and Rails on Ubuntu.  You can use this tutorial for either of your flavors of Ruby.  Keep in mind you may need to adjust the PATH setting in your bash script to point to the right Ruby instance.  The post above states Ubuntu already has this set already, a quick check of my PATH and it indeed has this set.

One additional option that seems particularly attractive is Ruby Enterprise Edition (REE) from Phusion, the Passenger folks.  This group keeps on top of Ruby updates and is constantly updating their code.  They posted the DoS vulnerability fix almost right away and offer the source download or an Ubuntu package for 32 and 64-bit.

This is the option I am taking.  I have been wanting to move to REE for some time and I think it now the right time.  REE does by default install to the:

/opt/ruby_enterprise

directory, so a change to the bash environment is necessary.  The Phusion site has some good docs on how to install and configure REE:

Then follow the instructions that the installer gives you.

1.6. Configuring REE as the default Ruby interpreter

It is possible to configure REE as the default Ruby interpreter, so that when you type ruby, gem, irb, rake or other Ruby commands, REE’s version is invoked instead of the system Ruby’s version.

To do this, you must add REE’s bin directory to the beginning of the PATH environment variable. This environment variable specifies the command shell’s command search path. For example, you can do this on the command-line:

$ ruby some_program.rb    # <--- some_program.rb is being run
#      in the system Ruby interpreter.
$ export PATH=/opt/ruby-enterprise-X.X.X/bin:$PATH
$ ruby some_program.rb    # <--- some_program.rb will now be run in REE!

Invoking export PATH=... on the command-line has no permanent effect: its effects disappear as soon as you exit the shell. To make the effect permanent, add an entry to the file/etc/environment instead. On Ubuntu Linux, /etc/environment looks like this:

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"

Add REE’s bin directory to the PATH environment variable, like this:

PATH="/opt/ruby-enterprise-x.x.x/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"

This will give me both better memory usage and the added security of fixing BigDecimal.

This does effect Ruby on Rails and there is a patch to Rails as a quick workaround.

Conclusion

It is great to have options and open source gives us the ability to have many.  If building from source is the way to go then keep in mind all of the RubyGems already installed in the system(s) need to be installed again for that new version of Ruby.  This only applies if the Ruby path is changed to which Ruby is being used.